IETF Logo Mail Archive

[kitten] OAUTH/SASL... to HTTP or not to HTTP, that is the question...

William Mills <wmills@yahoo-inc.com> Wed, 04 April 2012 00:59 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E43221F85E1 for <kitten@ietfa.amsl.com>; Tue, 3 Apr 2012 17:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8Cya5G4KJ-t for <kitten@ietfa.amsl.com>; Tue, 3 Apr 2012 17:59:04 -0700 (PDT)
Received: from nm29-vm3.bullet.mail.ne1.yahoo.com (nm29-vm3.bullet.mail.ne1.yahoo.com [98.138.91.159]) by ietfa.amsl.com (Postfix) with SMTP id 543A721F85DF for <kitten@ietf.org>; Tue, 3 Apr 2012 17:59:04 -0700 (PDT)
Received: from [98.138.90.53] by nm29.bullet.mail.ne1.yahoo.com with NNFMP; 04 Apr 2012 00:59:00 -0000
Received: from [98.138.87.1] by tm6.bullet.mail.ne1.yahoo.com with NNFMP; 04 Apr 2012 00:59:00 -0000
Received: from [127.0.0.1] by omp1001.mail.ne1.yahoo.com with NNFMP; 04 Apr 2012 00:59:00 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 463054.49933.bm@omp1001.mail.ne1.yahoo.com
Received: (qmail 72208 invoked by uid 60001); 4 Apr 2012 00:59:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1333501140; bh=/xzW32p9lF3EsXkt9QkFVB72fFsDRwM6VSF28trWiLM=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=VoKUy0veBmNGJGwC2aY2wqhoY9JriU5Qeh1OdQPSZRB6YEd6vHgeanyjaPUxljpGAPgGc9PuuY+aSH/HGy5dOdWN0kO1dC+3eCXptdjneD+SCypaaGgpZwkIYHWbO42+TOl3Bphp11pQb4G2CR0htY0rDdOy3mB2wpwmjWP21SM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=s6tIBk4SrheJNi9uZgsS1lTUDUdDfTbguhm0VgEW+rwAD2+2Spvbv2AgTv6BFb3xXrbwatrVwxsCYDp1AsTdOXY9ux0D+YoMFOu23BtAprs3DOrIIdBjngj0/676Ni/VtTRzXxGl1zMPL+0fkukIqXe+6E8KgxCvpFwnW5YFSxQ=;
X-YMail-OSG: kYhG8KAVM1n2l7P_YNylPctfmPp6P9ZDHV3w4FWAQg7NE8Q VZIqVLjP6PeJ.1XNIszaY5EAn1uR8mT4qDf_7zyg.yrINUimJ3_VoLuE4siq vY0jnWcFaKa6.rNMNRnDge_HlJE.P.d.JUsteoh8xPKj3mvQLXEmyvjQv2oz HXMoFh3Pg6cjaohIMloKEBx.242.JO_sWcPyJXmH5fkestaWIYGcHA4Ux16X S7WBLBumT8N1D4A.FB4VqzxSL6ZcJcCKCo5CsCjfmpcuXGM2Lkv7T4d.6sUX dA7ROcjeme8YeJtLugSvdlfXp6JeaxnXEUq9pVDVCnQYFoQahVVuQbTlTpyf uvvzHvHmH6UXs9HP8IZgBTN_Klo_Sy8d2Vyi9v7T1_xq1ouAaiCxvMkLTUEt idVfDs3dFxpqQVStZAcRTSRazxK5weXb_jX_15_AQTfXZhS6piDQMIcYS.JO ncz.dAyRMjYjnVpfd5I9vm36Ay4v3SHQRrOQgHD1cdEIHs8kCVVL5lxK8bSI Moy33aruAO4WELQdUwbNGauLmVsvQL7Wkdwhz1KoWQhHt3WwbRVK6hbciK1z 8anLni_i3sD5m0T8CHeMui2FRGAYRbKk8QJVispYEGeMqynE9rOMKn_H2Yk9 3cX06k9KyMp8S0ey0AZX0rYZMPer8UUzXiHte7B21uzsF0ryuQ8DAmtCvHMy OV2Prk2pIvlVk3UP5WlMam4pYAS7Qbpo6HLQexcHlHQ--
Received: from [99.31.212.42] by web31807.mail.mud.yahoo.com via HTTP; Tue, 03 Apr 2012 17:58:59 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340979
References: <1333498239.81695.YahooMailNeo@web31804.mail.mud.yahoo.com>
Message-ID: <1333501139.69852.YahooMailNeo@web31807.mail.mud.yahoo.com>
Date: Tue, 03 Apr 2012 17:58:59 -0700
From: William Mills <wmills@yahoo-inc.com>
To: "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <1333498239.81695.YahooMailNeo@web31804.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-125733401-2107690963-1333501139=:69852"
Subject: [kitten] OAUTH/SASL... to HTTP or not to HTTP, that is the question...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 00:59:05 -0000

The major question remaining for my draft is HTTP(like) or not for the SASL message format?  Please select one of the following:


A)    The current message format is fine.
B)    HTTP-like is OK as long as we limit the insanity.
C)    HTTP in any form is a deal breaker for me.  Give me something simple.
D)    None of the above, and I have a possible solution of my own to propose.

For B above it's likely that we'd say something like "The server MUST parse the Host, User, and Authorization headers and the server MAY discard anything else.  The client MUST NOT use any HTTP extensions such as compression and pipelining, and SHOULD NOT use line continuations."

Thanks in advance for the input,

-bill




>________________________________
> From: William Mills <wmills@yahoo-inc.com>
>To: "kitten@ietf.org" <kitten@ietf.org> 
>Sent: Tuesday, April 3, 2012 5:10 PM
>Subject: [kitten] Feedback from IETF #83 on the OAUTH/SASL-KRB draft
> 
>
>
>I went to IETF #83 specifically to get feedback (and I though a tentative decision) on the question of whether the SASL message format currently there which uses HTTP was a good idea or not.  I did get a ton of good feedback in individual conversations, the conversation in the working group itself was a little less lively.
>
>From the WG meeting:
>-    several folks promised to read deeper and bring comments back to the list.
>-    Hannes' comment at the mic (my summary) was that given the many successful integrations against Google's XOAUTH that staying close to those has great value for getting successful uptake, and that adapting the code those clients use to new endpoints 
>
>From general feedback from random folks:
>-    Many folks said HTTP is in fact very hard to parse correctly if you have to parse it fully.
>-    Some folks felt existing implementations close to a proposed spec are likely to add to successful adoption.
>-    a few folks felt that it's reasonable to limit the stuff that actually has to be parsed.
>
>There are real difference between the complextity needed for XOAUTH and for the proposed OAUTH mechanism.  XOAUTH does everything in the URL, where the OAUTH proposal  I'll post here the Google XOAUTH SASL message format, and an example form the draft spec:
>
>From http://sites.google.com/site/oauthgoog/Home/oauthimap for XOAUTH:
>
>For example, before base64-encoding, the initial client request might look like this (with linebreaks added for clarity):
>
>(2-legged OAuth)
>GET https://mail.google.com/mail/b/someuser@example.com/imap/?xoauth_requestor_id=someuser%40example.com
>    oauth_consumer_key="example.com",
>    oauth_nonce="4710307327925439451",
>    oauth_signature="75%2BB63NbW2GdDMaOCEd%2Fy%2Fb%2B0Qk%3D",
>    oauth_signature_method="HMAC-SHA1",
>    oauth_timestamp="1260933683",
>    oauth_version="1.0"
>
>
>
>For the OAUTH mechanism a similar style signed request example is:
>GET / HTTP/1.1
>Host: server.example.com
>User: user@example.com
>Authorization: MAC token="h480djs93hd8",timestamp="137131200", nonce="dj83hs9s",signature="YTVjyNSujYs1WsDurFnvFi4JK6o="
>
>
>The OAUTH mechanism will require (as currently specified) parsing of a Host, User, and Authorization header.  The path and query is actually ignored at present.  Based on this message I'll be posing questions to the list.
>
>Regards,
>
>-bill  
>_______________________________________________
>Kitten mailing list
>Kitten@ietf.org
>https://www.ietf.org/mailman/listinfo/kitten
>
>
>

v2.23.0 | Report a Bug | By Email